You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/12/16 16:18:58 UTC
svn commit: r1551228 - in /cxf/trunk/services/sts/sts-core/src:
main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Author: coheigea
Date: Mon Dec 16 15:18:58 2013
New Revision: 1551228
URL: http://svn.apache.org/r1551228
Log:
Validation fix in the STS
Modified:
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/SAMLTokenValidator.java Mon Dec 16 15:18:58 2013
@@ -153,6 +153,29 @@ public class SAMLTokenValidator implemen
SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
response.setPrincipal(samlPrincipal);
+ if (!assertion.isSigned()) {
+ LOG.log(Level.WARNING, "The received assertion is not signed, and therefore not trusted");
+ return response;
+ }
+
+ RequestData requestData = new RequestData();
+ requestData.setSigVerCrypto(sigCrypto);
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ requestData.setWssConfig(wssConfig);
+ requestData.setCallbackHandler(callbackHandler);
+ requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
+
+ WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
+
+ // Verify the signature
+ Signature sig = assertion.getSignature();
+ KeyInfo keyInfo = sig.getKeyInfo();
+ SAMLKeyInfo samlKeyInfo =
+ SAMLUtil.getCredentialFromKeyInfo(
+ keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto
+ );
+ assertion.verifySignature(samlKeyInfo);
+
SecurityToken secToken = null;
byte[] signatureValue = assertion.getSignatureValue();
if (tokenParameters.getTokenStore() != null && signatureValue != null
@@ -169,29 +192,6 @@ public class SAMLTokenValidator implemen
}
if (secToken == null) {
- if (!assertion.isSigned()) {
- LOG.log(Level.WARNING, "The received assertion is not signed, and therefore not trusted");
- return response;
- }
-
- RequestData requestData = new RequestData();
- requestData.setSigVerCrypto(sigCrypto);
- WSSConfig wssConfig = WSSConfig.getNewInstance();
- requestData.setWssConfig(wssConfig);
- requestData.setCallbackHandler(callbackHandler);
- requestData.setMsgContext(tokenParameters.getWebServiceContext().getMessageContext());
-
- WSDocInfo docInfo = new WSDocInfo(validateTargetElement.getOwnerDocument());
-
- // Verify the signature
- Signature sig = assertion.getSignature();
- KeyInfo keyInfo = sig.getKeyInfo();
- SAMLKeyInfo samlKeyInfo =
- SAMLUtil.getCredentialFromKeyInfo(
- keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, docInfo), sigCrypto
- );
- assertion.verifySignature(samlKeyInfo);
-
// Validate the assertion against schemas/profiles
validateAssertion(assertion);
@@ -211,7 +211,6 @@ public class SAMLTokenValidator implemen
if (!certConstraints.matches(cert)) {
return response;
}
-
}
// Parse roles from the validated token
Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java?rev=1551228&r1=1551227&r2=1551228&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java (original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/validator/SAMLTokenValidatorTest.java Mon Dec 16 15:18:58 2013
@@ -34,6 +34,7 @@ import javax.security.auth.callback.Unsu
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+
import org.apache.cxf.jaxws.context.WebServiceContextImpl;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
@@ -425,6 +426,53 @@ public class SAMLTokenValidatorTest exte
assertTrue(roles.iterator().next().getName().equals("employee"));
}
+ /**
+ * Test an invalid SAML 2 Assertion
+ */
+ @org.junit.Test
+ public void testInvalidSAML2Assertion() throws Exception {
+ TokenValidator samlTokenValidator = new SAMLTokenValidator();
+ TokenValidatorParameters validatorParameters = createValidatorParameters();
+ TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
+
+ // Create a ValidateTarget consisting of a SAML Assertion
+ Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+ CallbackHandler callbackHandler = new PasswordCallbackHandler();
+ Element samlToken =
+ createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
+ Document doc = samlToken.getOwnerDocument();
+ samlToken = (Element)doc.appendChild(samlToken);
+
+ ReceivedToken validateTarget = new ReceivedToken(samlToken);
+ tokenRequirements.setValidateTarget(validateTarget);
+ validatorParameters.setToken(validateTarget);
+
+ assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+
+ TokenValidatorResponse validatorResponse =
+ samlTokenValidator.validateToken(validatorParameters);
+ assertTrue(validatorResponse != null);
+ assertTrue(validatorResponse.getToken() != null);
+ assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
+
+ // Replace "alice" with "bob".
+ Element nameID =
+ (Element)samlToken.getElementsByTagNameNS(WSConstants.SAML2_NS, "NameID").item(0);
+ nameID.setTextContent("bob");
+
+ // Now validate again
+ validateTarget = new ReceivedToken(samlToken);
+ tokenRequirements.setValidateTarget(validateTarget);
+ validatorParameters.setToken(validateTarget);
+
+ assertTrue(samlTokenValidator.canHandleToken(validateTarget));
+
+ validatorResponse = samlTokenValidator.validateToken(validatorParameters);
+ assertTrue(validatorResponse != null);
+ assertTrue(validatorResponse.getToken() != null);
+ assertTrue(validatorResponse.getToken().getState() != STATE.VALID);
+ }
+
private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
TokenValidatorParameters parameters = new TokenValidatorParameters();
@@ -627,5 +675,5 @@ public class SAMLTokenValidatorTest exte
}
}
-
+
}